
The security landscape of software is evolving at a pace never seen before. Today, AI now writes a significant part of code being created by developers and its abilities are accelerating at a pace no one could have predicted. Few have considered the security impact from AI writing complex code bases in which humans are no longer writing and verifying the code generated. This change in how software is being developed and released is now presenting a number of unsolved security problems for the

Executive Summary This analysis represents the second instalment in a comprehensive examination of the KorPlug malware family. Previous reporting detailed the initial loading vector utilising DLL side-loading techniques against legitimate utilities to achieve code execution. The second-stage payload executes via a designated entry point function. Static analysis of the binary reveals that the Initialise function, invoked by the preceding loader stage, exhibits an anomalous Control Flow Graph (

Executive Summary In late May 2025, RevEng.AI identified a new sample of KorPlug (a.k.a Hodur) —a well-known Remote Access Trojan (RAT) frequently leveraged in targeted cyber-espionage campaigns—uploaded to a third-party file-scanning platform. This report is the first in a three-part series detailing a malware campaign involving KorPlug. This is the first of three reports describing a KorPlug campaign, detailing a three-stage malware-execution chain. The observed campaign detailed in this P

Reverse engineering malware often feels like solving a puzzle where half the pieces are hidden. Among the most common obstacles analysts face is string obfuscation—a technique where malware authors encrypt or encode strings to evade detection and frustrate analysis. This anti-analysis technique appears in virtually every modern malware family, turning what should be straightforward analysis into hours of tedious manual work. In this post, RevEng.AI will explore two approaches to dealing with th

Executive Summary In February 2025, the RevEngAI team observed an ongoing LummaStealer campaign that employed a distinct approach compared to the ClickFix method detailed in the previous instalment of this series. In this report, we take a closer look at this campaign and examine how the RevEng.AI platform successfully identified and facilitated the analysis of the associated samples. As described in our previous analysis, LummaStealer (aka LummaC2 or LummaC2 Stealer) is a malware variant desi

Executive Summary Throughout 2024, RevEng.AI has been actively monitoring LummaStealer as part of its mission to uncover and analyse emerging threats across the commodity malware landscape. In mid January 2025, we observed a LummaStealer campaign being distributed via ClickFix - in the form of fake reCAPTCHA pages. RevEng.AI has further examined and documented the delivery chain of LummaStealer in an effort to uncover whether the final payloads have also been subject to alterations in an effor

Introduction The challenge of converting low-level assembly code back into human-readable source code is a cornerstone problem in reverse engineering. In this post, we summarise recent work done at RevEng.AI that addresses this challenge through the development of foundational AI models designed for decompilation. As we shall see, this approach is able to produce surprisingly accurate code that more closely resembles human-written source-code than existing rules-based decompilers. Whilst these

In early September 2024, RevEng.AI conducted a brief analysis of the evasion techniques leveraged by modern malware and command-and-control (C2) frameworks. This analysis underscores the methods employed by adversaries to bypass traditional detection mechanisms and security solutions, enabling their malicious activities to remain concealed. The techniques described reflect the increasing tendency of malware and C2 developers to leverage low-level system features and obscure functionality within

Introduction In this post, we explore a vulnerability in the Windows IOMap64.sys driver (CVE-2024-41498) RevEng.AI researchers discovered with the help of our AI Binary Analysis Platform. We perform a technical analysis of the IOMap64.sys driver, cover the software fault leading to the vulnerability which under the hood allow a malicious user to read / write the entire physical memory (RAM), and finally provide a PoC to demonstrate exploitability. Alongside the core analysis, RevEng.AI has pro
Executive Summary RevEng.AI observed a Latrodectus sample (a.k.a. Unidentified 111, Lotus, BLACKWIDOW, IceNova) delivery chain using a malicious JavaScript (JS) stager uploaded to a third-party public malware scanning service on 23 June 2024. Since early January until the present, RevEng.AI has observed versions 1.1 to 1.3 in operational use by the adversary (although earlier versions do exist, as documented by industry reporting [1]). Latrodectus is a loader typically delivered by phishing
We use essential cookies for security and site functionality, plus optional tracking cookies to understand how you use our site and improve it. Privacy policy.